By Cortney Metzger

Is your orthodontic practice protected from a data breach? Orthodontists, like you, tend to assume that your practices are safe. You trust your staff, and feel like they are well-trained and well-informed of the need to be diligent in protecting confidential customer information. Unfortunately, the concern cannot be limited to your staff but must also include the hacker working to get your practice’s information. No practice is immune, and the regulations affecting your practice are always changing. 

Thinking that a data breach won’t happen to your practice can quickly lead to trouble. Don’t think so? Take a look at the list of cases currently under investigation by the U.S. Department of Health and Human Services’ Office for Civil Rights for breaches of unsecured protected health information. As of May 2019, the list contained 476 covered entities. Of these 476 entities, 352 were classified as healthcare providers. Keep in mind that, as required by section 13402§(4) of the HITECH Act, this list only contains breaches affecting 500 or more individuals that have been reported within the last 24 months.

Breaches don’t discriminate. Even large companies with vast technological resources have come under cyberattack. Organizations such as Anthem Blue Cross, Equifax, Facebook, Google+, Marriott, Orbitz, T-Mobile, TRICARE, UCLA Health System, and Yahoo have been attacked and breached. According to the California Department of Insurance’s website, Anthem reported that their data breach, including current and past enrollees, potentially compromised the information of up to 80 million people. Marriott’s data breach, as reported by The Washington Post in November 2018, exposed the private travel details of up to 500 million of their customers.

So what is an orthodontic practice to do? To start, you can ensure that your patients’ data is protected when they use a debit or credit card to pay for services in your practice. And this is where your practice’s PCI Compliance comes into play.

If you haven’t heard about PCI Compliance before or understood the role it plays in data protection, now would be a good time to do just that.

What Is PCI Compliance?

PCI Compliance refers to the universal set of standards known as the PCI-DSS, the Payment Card Industry Data Security Standard. The standards apply to all organizations accepting debit or credit card transactions and were put in place by the PCI Security Standards Council composed of major credit card companies including Visa, MasterCard, American Express, Discover, and JCB. The Council has placed the responsibility of ensuring your compliance on you—not only are you responsible for your compliance but also for the compliance of your vendors. For instance, if you use a third-party to process your debit and credit card transactions, you need to ensure that vendor meets PCI standards—just as your vendors are required to ensure that your practice is meeting PCI standards.

PCI Compliance, as defined by the PCI Security Standards Council, is a three-step process: Assess, Remediate and Report. You must a) assess your office procedures and equipment and analyze them for vulnerabilities; b) fix those vulnerabilities; and c) report your progress to the appropriate banks, vendors, and card brands. The responsibility of protecting your patients’ (and Responsible Billing Parties’) personal and payment method information is heavy, and the threat is real.


What Can You Do to Protect Your Practice?

Let’s face it: Data thieves are becoming more and more sophisticated, meaning you need solutions that can adapt just as quickly as they do. The good news: This isn’t all on you. There are products specific to the orthodontic space that can help. One such product is OrthoBanc. This risk assessment and payment management company offers users an easy-to-use PCI Compliance Solution designed to help navigate the ever-evolving Payment Card Industry’s compliance regulations. Using their compliance portal, your practice can answer a series of questions that will help the system analyze your practice security standards and also run a scan on your network(s) to locate any potential weaknesses. Once vulnerabilities are identified, a list of needed actions will be provided; simply print and distribute that list to your team so they can make the needed updates. Once all items are addressed, you can run the network scan again in order to receive an Attestation of Compliance. That certificate will be housed in OrthoBanc’s solution as evidence of your PCI Compliance. This compliance tool also comes with $100,000 in data breach protection. 

While PCI Compliance is only one tool in protecting your practice’s data, adherence to this set of standards can go a long way in protecting your patient relationships. OP

Cortney Metzger is a marketing coordinator with OrthoBanc LLC.